Vulnerability Note VU#276563

Autonomy KeyView SDK buffer overflow vulnerability

Overview

Autonomy KeyView SDK contains a buffer overflow vulnerability that may allow an attacker to execute arbitrary code.

I. Description

Autonomy KeyView SDK is a commercial software development kit (SDK) that includes file filtering libraries. A vulnerability exists in the way the SDK libraries process specially crafted WordPerfect documents. According to iDefense:

This vulnerability exists within the "wp6sr.dll," which implements the processing of WordPerfect documents. When processing certain records, data is copied from the file into a fixed-size stack buffer without ensuring that enough space is available. By overflowing the buffer, an attacker can overwrite control flow structures stored on the stack.



Note that this issue affects products that use Autonomy KeyView SDK. These include IBM Lotus Notes and Symantec products.

II. Impact

An unauthenticated attacker may be able to execute arbitrary code or cause a vulnerable system to crash.

III. Solution

Apply updates

Developers should contact Autonomy KeyView support for information on how to obtain updated software that addresses this issue.



IBM Lotus Notes has released an alert to address this issue.



Symantec has released SYM09-004 to address this issue.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Autonomy	Vulnerable		2009-03-19
IBM Corporation	Vulnerable		2009-03-19
Symantec	Vulnerable		2009-03-19

References

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=774

https://customers.autonomy.com/support/login.jsp?notLoggedIn=true&origURL=%2Fsecure%2Fdocs%2FUpdates%2FKeyview%2FFilter+SDK%2F10.4%2Fkv_update_nti40_10.4.zip.readme.html

http://www-01.ibm.com/support/docview.wss?uid=swg21377573

http://secunia.com/advisories/34307/

http://securityresponse.symantec.com/avcenter/security/Content/2009.03.17a.html

http://secunia.com/advisories/34318/

Credit

This issue was made public by iDefense.

This document was written by Chris Taschner.

Other Information

Date Public:	2009-03-17
Date First Published:	2009-03-19
Date Last Updated:	2009-04-30
CERT Advisory:
CVE-ID(s):	CVE-2008-4564
NVD-ID(s):	CVE-2008-4564
US-CERT Technical Alerts:
Metric:	6.00
Document Revision:	9

Vulnerability Note VU#520586

OpenSSL TLS handshake Denial of Service

Overview

A vulnerability exists in OpenSSL that may allow a remote attacker to cause a denial of service.

I. Description

OpenSSL contains a vulnerability in the way specially crafted TLS handshake packets are handled that may result in a denial of service. According to OpenSSL Security Advisory [28-Mar-2008]:

... if the 'Server Key exchange message' is omitted from a TLS handshake in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash.

Note that this issue may affect OpenSSL versions prior to 0.9.8h.

II. Impact

A remote, unauthorized attacker may be able to cause a denial of service.

III. Solution

Upgrade or Apply Patch

OpenSSL has issued an upgrade and a patch to address this issue. See OpenSSL Security Advisory [28-Mar-2008] for more information. OpenSSL is included in various Linux and UNIX distributions. Please consult the relevant documentation of your distribution to obtain the appropriate updates.

Systems Affected

Vendor	Status	Date Updated
OpenSSL	Vulnerable	30-May-2008

References

http://www.securityfocus.com/bid/29405

http://cert.fi/haavoittuvuudet/2008/advisory-openssl.html

http://secunia.com/advisories/30405/

http://www.openssl.org/news/secadv_20080528.txt

Credit

This issue was reported in OpenSSL Security Advisory [28-Mar-2008]. OpenSSL credits Codenomicon for reporting these issues.

This document was written by Chris Taschner.

Other Information

Date Public	05/28/2008
Date First Published	05/30/2008 01:34:58 PM
Date Last Updated	05/30/2008
CERT Advisory
CVE Name	CVE-2008-1672
US-CERT Technical Alerts
Metric	14.70
Document Revision	8

Vulnerability Note VU#661475

OpenSSL Server Name extension Denial of Service

Overview

A vulnerability exists in OpenSSL that may allow a remote attacker to cause a denial of service.

I. Description

OpenSSL contains a vulnerability in the way server name extension data is handled that may result in a denial of service. According to OpenSSL Security Advisory [28-Mar-2008]:

If OpenSSL has been compiled using the non-default TLS server name extensions, a remote attacker could send a carefully crafted packet to a server application using OpenSSL and cause it to crash.

Note that this issue may affect OpenSSL versions prior to 0.9.8h.

II. Impact

A remote, unauthorized attacker may be able to cause a denial of service.

III. Solution

Upgrade or Apply Patch

OpenSSL has issued an upgrade and a patch to address this issue. See OpenSSL Security Advisory [28-Mar-2008] for more information. OpenSSL is included in various Linux and UNIX distributions. Please consult the relevant documentation of your distribution to obtain the appropriate updates..

Systems Affected

Vendor	Status	Date Updated
OpenSSL	Vulnerable	30-May-2008

References

http://www.securityfocus.com/bid/29405

http://cert.fi/haavoittuvuudet/2008/advisory-openssl.html

http://secunia.com/advisories/30405/

http://www.openssl.org/news/secadv_20080528.txt

Credit

This issue was reported in OpenSSL Security Advisory [28-Mar-2008]. OpenSSL credits Codenomicon for reporting these issues.

This document was written by Chris Taschner.

Other Information

Date Public	05/28/2008
Date First Published	05/30/2008 11:34:51 AM
Date Last Updated	05/30/2008
CERT Advisory
CVE Name	CVE-2008-0891
US-CERT Technical Alerts
Metric	14.88
Document Revision	7

Vulnerability Note VU#596268

Wonderware SuiteLink null pointer dereference

Overview

A vulnerability in the way Wonderware SuiteLink handles malformed TCP packets could result in a denial of service.

I. Description

Wonderware SuiteLink is a protocol based on TCP/IP that runs as a service listening for connections on port 5413/tcp on Microsoft Windows operating systems. A vulnerability exists in the way the Wonderware SuiteLink Service slssvc.exe handles malformed TCP packets. According to Core Security Advisory CORE-2008-0129:

Un-authenticated client programs connecting to the service can send a malformed packet that causes a memory allocation operation (a call to new() operator) to fail returning a NULL pointer. Due to a lack of error-checking for the result of the memory allocation operation, the program later tries to use the pointer as a destination for memory copy operation, triggering an access violation error and terminating the service.

Note that this issue affects Wonderware SuiteLink prior to version 2.0 Patch 01. Exploit code for this vulnerability is publicly available.

II. Impact

A remote, unauthenticated attacker may be able to cause a denial-of-service condition.

III. Solution

Apply an update

This issue is addressed in Wonderware SuiteLink Version 2.0 Patch 01. Wonderware SuiteLink customers should refer to Wonderware Tech Alert 106 and Wonderware Security Manual - Securing Industrial Control Systems for more details.

Systems Affected

Vendor	Status	Date Updated
Invensys	Vulnerable	23-May-2008
Wonderware	Vulnerable	23-May-2008

References

http://www.coresecurity.com/?action=item&id=2187

http://www.securityfocus.com/bid/28974

http://secunia.com/advisories/30063/

http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm

http://www.wonderware.com/support/web/secure/downloads/download_serve.asp?id=2355&url=http://www.wonderware.com/support/mmi/registered/patchfixes/SL2.0P1.zip

http://www.wonderware.com/support/mmi/esupport/securitycentral/documents/BestPractices/WWSecGd041707

http://portal.wonderware.com/sites/securitycentral/default.aspx

http://www.milw0rm.com/exploits/6474

Credit

This vulnerability was reported in Core Security Advisory CORE-2008-0129.

This document was written by Chris Taschner.

Other Information

Date Public	05/05/2008
Date First Published	05/06/2008 04:01:06 PM
Date Last Updated	09/17/2008
CERT Advisory
CVE-ID(s)	CVE-2008-2005
NVD-ID(s)	CVE-2008-2005
US-CERT Technical Alerts
Metric	3.07
Document Revision	14

Vulnerability Note VU#929656

Multiple BGP implementations do not properly handle UPDATE messages

Overview

BGP implementations from multiple vendors including Juniper may not properly handle specially crafted BGP UPDATE messages. These vulnerabilities could allow an unauthenticated, remote attacker to cause a denial of service. Disrupting BGP communication could lead to routing instability.

I. Description

The Border Gateway Protocol (BGP, RFC 4271) is a widely used inter-Autonomous System routing protocol. BGP communication among peer routers is critical to the stable operation of the internet. Multiple vendors BGP implementations do not properly handle specially crafted BGP UPDATE messages. A vulnerable BGP implementation could drop sessions when processing crafted UPDATE messages. A persistent attack could lead to routing instability (route flapping). To affect a BGP session, an attacker would need to succesfully inject a specially crafted packet into an existing BGP session or the underlying TCP session (179/tcp). In other words, the attacker would need to have a valid, configured BGP session or be able to spoof TCP traffic.

This vulnerability was first announced as affecting Juniper routers. Further investigation indicates that other vendors are affected by the same or similar issues. Please see the Systems Affected section below.

II. Impact

A remote attacker could cause a denial of service by injecting a specially crafted BGP UPDATE message into a legitimate BGP session. An attacker with a configured BGP session could attack targets several BGP hops away, or an attacker could spoof TCP traffic.

III. Solution

Upgrade

Upgrade your BGP software as appropriate. Please see the Systems Affected section below for information about specific vendors.

In order to send a specially crafted BGP UPDATE message, an attacker must have or spoof a valid BGP connection. The following workarounds and other BGP security techniques may provide some defense against spoofed connections, however spoofed connections may not be a realistic threat scenario, and the more correct resolution is to upgrade.



Authenticate BGP Traffic



Use TCP MD5 to authenticate BGP traffic (RFC 2385). Only allow BGP traffic from authorized peers. It is generally recognized that TCP MD5



Restrict BGP Access



Restrict BGP network access to authorized peers. If possible, run BGP on management networks, not transit networks. More information about BGP security (including secure BGP configuration templates) is available from the Team Cymru Reading Room.

Systems Affected

Vendor	Status	Date Updated
3com, Inc.	Unknown	13-Dec-2007
ACCESS	Not Vulnerable	20-May-2008
Alcatel	Unknown	13-Dec-2007
AT&T	Unknown	13-Dec-2007
Avaya, Inc.	Unknown	13-Dec-2007
Avici Systems, Inc.	Vulnerable	28-Apr-2008
Century Systems Inc.	Vulnerable	28-Apr-2008
Charlotte's Web Networks	Unknown	13-Dec-2007
Check Point Software Technologies	Unknown	13-Dec-2007
Cisco Systems, Inc.	Not Vulnerable	6-May-2008
D-Link Systems, Inc.	Unknown	13-Dec-2007
Data Connection, Ltd.	Unknown	13-Dec-2007
Extreme Networks	Unknown	13-Dec-2007
F5 Networks, Inc.	Unknown	13-Dec-2007
Force10 Networks, Inc.	Not Vulnerable	22-Feb-2008
Foundry Networks, Inc.	Not Vulnerable	28-Apr-2008
Fujitsu	Not Vulnerable	28-Apr-2008
GNU Zebra	Not Vulnerable	20-May-2008
Hitachi	Vulnerable	12-Aug-2008
Hyperchip	Unknown	13-Dec-2007
IBM Corporation	Unknown	13-Dec-2007
Ingrian Networks, Inc.	Unknown	13-Dec-2007
Intel Corporation	Unknown	8-Apr-2008
IP Infusion, Inc.	Not Vulnerable	20-May-2008
Juniper Networks, Inc.	Vulnerable	1-May-2008
Lucent Technologies	Unknown	13-Dec-2007
Luminous Networks	Unknown	13-Dec-2007
Multinet (owned Process Software Corporation)	Unknown	13-Dec-2007
Multitech, Inc.	Unknown	13-Dec-2007
NEC Corporation	Vulnerable	6-Jun-2008
Network Appliance, Inc.	Not Vulnerable	14-Dec-2007
NextHop Technologies, Inc.	Unknown	13-Dec-2007
Nokia	Unknown	8-Apr-2008
Nortel Networks, Inc.	Unknown	13-Dec-2007
OpenBSD	Unknown	22-Feb-2008
Quagga	Not Vulnerable	28-Apr-2008
Redback Networks, Inc.	Unknown	13-Dec-2007
Riverstone Networks, Inc.	Unknown	13-Dec-2007
Sun Microsystems, Inc.	Not Vulnerable	28-Apr-2008
Wind River Systems, Inc.	Unknown	13-Dec-2007
Yamaha Corporation	Vulnerable	28-Apr-2008
ZyXEL	Unknown	13-Dec-2007

References

http://www.kb.cert.org/vuls/id/415294

http://tools.ietf.org/html/rfc4271

http://www.iana.org/assignments/bgp-parameters

http://tools.ietf.org/html/rfc2385

http://tools.ietf.org/html/rfc2439

http://secunia.com/advisories/28100/

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6372

https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-12-008&viewMod%20e=view

http://isc.sans.org/diary.php?storyid=3748

https://puck.nether.net/pipermail/juniper-nsp/2007-December/009294.html

https://puck.nether.net/pipermail/juniper-nsp/2007-December/009299.html

http://jvn.jp/cert/JVNVU929656/index.html

http://osvdb.org/show/osvdb/39157

http://www.securityfocus.com/bid/26869

http://www.frsirt.com/english/advisories/2007/4223

http://securitytracker.com/alerts/2007/Dec/1019100.html

http://www.team-cymru.org/?sec=13&opt=28

http://secunia.com/advisories/30028/

Credit

Thanks to members of the Juniper Security Incident Response Team for help in preparing this document.

This document was written by Art Manion.

Other Information

Date Public	12/12/2007
Date First Published	05/06/2008 02:30:49 PM
Date Last Updated	09/08/2008
CERT Advisory
CVE-ID(s)	CVE-2007-6372
NVD-ID(s)	CVE-2007-6372
US-CERT Technical Alerts
Metric	24.49
Document Revision	56